IS404 Final Study Guide 1. p6 Need to know the 4 broad categories for technologies. a Networks b System c Processes d Applications 2. p5 Need to know access control systems consists of 3 elements a Policies b Procedures c Tools 3. p16 The purpose of access control is to regulate interactions between a subject and an object, such as data, a network or device 4. p8 Need to know the Confidence in any authentication system can be measured by two components : the type of correlation and the number of authentication factors 5. p21 Access control threats cannot be 100% eliminated because new ones are constantly being devised. . p26-27 Quantitative risk assessment relies on several calculations a Single Loss Expectancy (SLE) b Annual Rate of Occurrence (ARO) c Annualized Loss Expectancy (ALE) 7. p24 Social engineering is the single most common strategy attackers use and it’s also the most effective 8. p35 Under system application domain, patch management is what? Can be used to address security threats 9. p30 Where are access controls needed most? Unless there is an asset of special importance stored on the network, it is unnecessary to place separate access controls on each asset 10. 45 Significant lots of overlap in security layers 11. p45 A classification scheme is a method of organizing sensitive information into various access levels. 12. p46 Anyone can gain access to unclassified information through legal means via the Freedom of Information Act (FOIA) -13. p48 The privacy act of 1974 is related to the federal government. 14. p52-53 Why would you need to classify data? – Risk avoidance 15. p58 Operational efficiency: * The right information * The right people * The right time 16. p71-72 What’s a key requirement for HIPAA? – Security and privacy of Health data 17. 77 FERPA * Computer media * Written documents stored in the student folder * 18. p89 IT security policy framework consists of: * Policy * Standard * Guideline * Procedure 19. p107-108 Kinds of security breaches: * System exploits * Eavesdropping * Social engineering * Denial of Service Attacks * Indirect attacks * Direct Access Attack 20. p98 Federal and state laws have been created to act as deterrents to information theft. 21. p99 DMCA Digital Millennium Copyright Act – allows unauthorized disclosure of data by circumventing an established tech measure. 22. 120 Customer access to data is the advent of the internet had made it easy for customers to order merchandise. 23. p130 Separation of responsibilities if an attacker compromises one account he or she will get denied for another account 24. p152 Acceptable Use Policy AUP – Defines how an employee may use equipment. 25. p143 Social engineering is a strategy in which hackers exploit the general human trust: * Assumed identity * Believability * Multiple Contacts * Request for Help 26. p148-149 Job rotation reduces risk factors with separation of duties 27. 166 You can manage a ACLs in Microsoft using windows active directory or NFS version 4 28. p172 UNIX right are : read, write, and execute 29. p172 No permissions has a value of zero 0 30. p165 Secure DIM – Another method is to secure the communications channel. You can use protocols such as Secure Socket Layer (SSL) to accomplish this 31. p168 Delegate Access Rights are granted from something that owns an object to another user or system 32. p209 Media Access Control is based on the sensitivity of the information contained in the objects. 33. p209-210 Role based Access Control: * Role assessment Role authorization * Transaction authorization 34. p219 Kerberos uses strong cryptography in order for the client to prove its identity to the server – Single Sign in Method SSM 35. p228 All access point within a range display their SSIDs 36. p218 2 Factor Authentication: something you have, something you know, something you are 37. p280 Need to know the three different types of remote access authenticating protocols: PAP- CHAP- PPP - 38. p273 Need to know the purpose of AAA : Authentication, Authorization, and Accounting 39. p285 Internet Key Exchange IKE, is the de facto standard of IPsec 40. 280 TACACS provides flexibility to network administrators by implementing AAA capabilities. RADIUS does not 41. p285 Web Authentication is needed where VPN is not available. 42. p293 Single server provides central digital signing and verification services 43. p306-307 PKI does not ensure that the end user can be trusted 44. p312 Authentication service validates the subscribers credentials for the registration authority prior to the request for a digital certificate 45. p304 Non repudiation is a concept of assuring the originator cannot refute the origin of a statement document 46. 326 One advantage to non-intrusive testing methods can uncover valuable information about potential vulnerabilities. 47. p327 Vulnerability Assessment is the first step to hardening the network * Network scanners * Port scanners * Web Application scanners 48. p332 Breach response is double blind 49. p334 Code injection is an attack when a hacker injects malicious code into an input field, usually a web application 50. p340 The penetration testers is the major deliverable from any penetration test is the analysis and report delivered to the organization